[Dnsmasq-discuss] Automatic DNSSEC-signing of ressource records

Rene Bartsch ml at bartschnet.de
Thu Sep 11 19:54:56 BST 2014


Am 2014-09-11 15:50, schrieb Jeroen van der Ham:
> Hi,
> 
> On 22 Aug 2014, at 16:57, Rene Bartsch <ml at bartschnet.de> wrote:
>> BIND and PowerDNS can sign resource records automatically when run as 
>> primary DNS with DNSSEC. Does Dnsmasq support signing resource records 
>> automatically in authoritative mode or are there any plans to support 
>> automatic zone signing in authoritative mode?
> 
> When exactly would you want dnsmasq to run as an authoritative name 
> server?
> 
> Note that signing records is not as simple as just flipping a switch,
> the key has to be trusted as well. Which means that you have to
> register a key at your registrar.
> 
> If it is for private use, there is no reason to use DNSSEC anyway.
> 

Yes, there is. ;-)

If you want to use your public domain in the local network (e.g. to 
resolve hostnames on multiple locations/local networks) and verify host 
certificates with DANE you usually have to run Dnsmasq as caching 
resolver and DHCP-server on the router and an additionally primary 
nameserver hosted in a data-center. You also have to synchronize a lot 
of resource records between Dnsmasq DHCP and primary nameserver. If 
Dnsmasq supports automatic signing of resource records and your internet 
socket has a public static IP you save the additional primary nameserver 
as Dnsmasq can handle this. And you do not need proprietary 
synchronization mechanisms between Dnsmasq DHCP and primary nameserver.

You may also want to use Dnsmasq as a much simpler alternative to 
BIND/PowerDNS.

Last but not least consumer routers can act as primary nameservers for 
consumer domains with an easy to administrate web-interface.

-- 
Best regards,

Renne



More information about the Dnsmasq-discuss mailing list